It has become apparent that force fitting technologies architected for the physical world into the virtual network creates more problems than it solves. Older security systems were not designed to protect virtual servers or the virtual network traffic between VMs on a physical host.  Moreover, the highly dynamic nature of VMs is beyond the scope of the traffic inspection capabilities of systems created specifically to protect the network perimeter.

The mismatch between security technologies designed for the physical world and the distinct requirements of virtual networks has created demand for better solutions. The most notable outcome has been the introduction of stateful firewalls and IDS designed from scratch to secure virtual environments. It is now possible, for instance, to define firewall rules that filter traffic to, from, and between VMs, and to enforce distinct policies for individual VMs as well as logical VM groups. Admins can also define a default firewall policy that is immediately applied to all newly created VMs, extending the principal of least privilege to virtual network access. Virtual network firewalls log virtual network and administrative activity for analysis and compliance purposes, and can issue alerts using SNMP traps or email.

Network and security administrators also have good options for detecting intrusions in virtual networks. Several new offerings provide the ability to run an IDS on each physical server. Alternatively, enterprises can choose to mirror virtual network traffic data to existing external IDS devices and analyze it in the context of overall network activity and established policies.

Keeping Rapidly Moving VMs Productive and Protected

A major management and security challenge unique to virtual environments is the instantaneous creation, movement, and decommissioning of virtual machines and virtualized applications.  Unlike physical servers which "stay put" and perform well-defined functions, virtual resources can respond to real-time demand.  This flexibility is one reason why virtualization is so economical, but it presents new management and security concerns.  Imagine tracking down the previously-mentioned application problems in an environment where:

• Increasing web traffic causes new VMs to be created on several physical servers, with each VM running multiple HTTP services

• Trusted financial applications may VMotion onto the same box as external-facing self-service apps, then off again

• Users have only vague timelines for their problems while services are constantly being created, moved, and decommissioned

• A badly written database request creates a cascade of database servers which start up and then hang

• Legacy applications consume more and more virtual resources over time, slowing themselves down until they crash and restart their VMs

The dynamic nature of virtual servers and virtual applications only magnifies the need for port and protocol level visibility, rapid troubleshooting, and historical views into recent virtual network activity.  Security teams have also recognized the implications of rapid VM movement for policy enforcement and regulatory compliance.  They traditionally isolated servers into physical groups based on DMZs and VLANs, but automated creation and and load-balancing between physical servers has broken this security barrier.  Applications that used to live on distinct machines in segregated parts of the corporate network may now co-exist on the same physical server, intentionally or inadvertently.

This loss of isolation is especially dangerous because VM-based workloads with potentially different trust levels can now communicate with each other via the virtual network without having to touch the physical network. Devices such as external IDS that can detect such security breaches on the physical network may be completely bypassed. Traditional concepts of network isolation and network security clearly need to expand to address the brave new world of live application and data migrations.

A notable advantage of the new generation of firewalls for virtual networks is their ability to secure individual VMs and maintain uninterrupted policy enforcement before, during, and after live migration using VMWare VMotion technology. In a real sense, a virtual firewall policy is "attached at the hip" with the VM and moves around the data center with it. This simple and consistent approach to virtual network security contrasts with the complex, high maintenance, and trouble-prone VLAN schemes that some have tried to implement to achieve application and data isolation. VLAN-based virtual network security also lacks the flexibility that per-VM policies provide.

New Challenges Demand Fresh Approaches

It's hard to justify securing virtual networks less diligently than securing the physical network. Yet most virtualization deployments today are violating two core security principles: network traffic to and from hosts must be monitored and logged, and it must be controlled with policy-based filters. The inability of security technologies designed for physical networks to get the job done in virtualized environments is at the root of the problem. Without appropriate tools and defense mechanisms, even the most diligent administrators are hard pressed to troubleshoot virtual network problems, detect anomalous VM activity, or address near-term demands for auditability. And the rapid deployment of highly mobile virtual systems has completely outstripped the ability of older technologies to maintain isolation between applications and data of different trust levels during live VM migrations.

These new risks and challenges are motivating network and security professionals to adopt new traffic monitoring, filtering, and policy enforcement measures optimized for the unique requirements of virtualized environments.  With virtual networks carrying an increasingly large share of data center communications, it's time to give the virtual environment the same level of visibility and protection accorded the physical network.

Altor Networks , VMotion